Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1])
 by ietfa.amsl.com (Postfix) with ESMTP id 36E8C1A1BD9
 for <dnsop@ietfa.amsl.com>; Fri,  6 Mar 2015 10:59:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.208
X-Spam-Level: 
X-Spam-Status: No, score=0.208 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, GB_ABOUTYOU=0.5, HTML_IMAGE_ONLY_24=1.618,
 HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01]
 autolearn=no
Received: from mail.ietf.org ([4.31.198.44])
 by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id U1_QU2-UobzO for <dnsop@ietfa.amsl.com>;
 Fri,  6 Mar 2015 10:59:28 -0800 (PST)
Received: from family.redbarn.org (family.redbarn.org
 [IPv6:2001:559:8000:cd::5])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by ietfa.amsl.com (Postfix) with ESMTPS id 5AD311A1B6D
 for <dnsop@ietf.org>; Fri,  6 Mar 2015 10:59:28 -0800 (PST)
Received: from [IPv6:2001:559:8000:cb:b015:3cb0:25ba:df77] (unknown
 [IPv6:2001:559:8000:cb:b015:3cb0:25ba:df77])
 (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by family.redbarn.org (Postfix) with ESMTPSA id BF98E1814C;
 Fri,  6 Mar 2015 18:59:28 +0000 (UTC)
Message-ID: <54F9F90D.1020806@redbarn.org>
Date: Fri, 06 Mar 2015 10:59:25 -0800
From: Paul Vixie <paul@redbarn.org>
User-Agent: Postbox 3.0.11 (Windows/20140602)
MIME-Version: 1.0
To: Simon Perreault <sperreault@jive.com>
References: <20150306145217.GA8959@nic.fr> <54F9C29E.9040408@jive.com>
In-Reply-To: <54F9C29E.9040408@jive.com>
X-Enigmail-Version: 1.2.3
Content-Type: multipart/alternative;
 boundary="------------030604000404030505000309"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/9skIgFaAbpEpHS2eOSPsSuPZ2mQ>
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] More work for DNSOP :-)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>,
 <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>,
 <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Mar 2015 18:59:30 -0000

This is a multi-part message in MIME format.
--------------030604000404030505000309
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit



> Simon Perreault <mailto:sperreault@jive.com>
> Friday, March 06, 2015 7:07 AM
>
> ...
>
> The problem with ANY is that it appears to work just fine. If a
> significant chunk of DNS servers start breaking ANY then it might
> discourage naive developers from attempting to use it. 

there's a much bigger problem with ANY, which is, its only valid use is
for diagnostics. like RD=0 sent to a recursive-only non-authoritative
name server, its intended purpose is helping other people learn things
about your name server state that you get no direct benefit from exposing.

mozilla's use of ANY is abusive. when sendmail used to send ANY queries,
we thought it could save round trips. we eventually learned that this
was crazy-talk. mozilla's abuse inevitably brings cloudflare's defense.

let's nip one meme in the bud, though: deprecating ANY will not change
the reflecting/amplifying landscape other than to obsolete some of the
existing low-end DDoS tools, which will quickly be changed to ask for
TXT or NS (or even better, DNSKEY).

-- 
Paul Vixie

--------------030604000404030505000309
Content-Type: multipart/related;
 boundary="------------050804070301040601090403"


--------------050804070301040601090403
Content-Type: text/html; charset=windows-1252
Content-Transfer-Encoding: 8bit

<html><head>
<meta content="text/html; charset=windows-1252" 
http-equiv="Content-Type">
</head><body bgcolor="#FFFFFF" text="#000000"><br>
<br>
<blockquote style="border: 0px none;" 
cite="mid:54F9C29E.9040408@jive.com" type="cite">
  <div style="margin:30px 25px 10px 25px;" class="__pbConvHr"><div 
style="display:table;width:100%;border-top:1px solid 
#EDEEF0;padding-top:5px"> 	<div 
style="display:table-cell;vertical-align:middle;padding-right:6px;"><img
 photoaddress="sperreault@jive.com" photoname="Simon Perreault" 
src="cid:part1.09050203.01080801@redbarn.org" 
name="compose-unknown-contact.jpg" height="25px" width="25px"></div>   <div
 
style="display:table-cell;white-space:nowrap;vertical-align:middle;width:100%">
   	<a moz-do-not-send="true" href="mailto:sperreault@jive.com" 
style="color:#737F92 
!important;padding-right:6px;font-weight:bold;text-decoration:none 
!important;">Simon Perreault</a></div>   <div 
style="display:table-cell;white-space:nowrap;vertical-align:middle;">   
  <font color="#9FA2A5"><span style="padding-left:6px">Friday, March 06,
 2015 7:07 AM</span></font></div></div></div>
  <div style="color:#888888;margin-left:24px;margin-right:24px;" 
__pbrmquotes="true" class="__pbConvBody"><br>
...<br>
<br>The problem with ANY is that it appears to work just fine. If a 
significant chunk of DNS servers start breaking ANY then it might 
discourage naive developers from attempting to use it. </div>
</blockquote>
<br>
there's a much bigger problem with ANY, which is, its only valid use is 
for diagnostics. like RD=0 sent to a recursive-only non-authoritative 
name server, its intended purpose is helping other people learn things 
about your name server state that you get no direct benefit from 
exposing.<br>
<br>
mozilla's use of ANY is abusive. when sendmail used to send ANY queries,
 we thought it could save round trips. we eventually learned that this 
was crazy-talk. mozilla's abuse inevitably brings cloudflare's defense.<br>
<br>
let's nip one meme in the bud, though: deprecating ANY will not change 
the reflecting/amplifying landscape other than to obsolete some of the 
existing low-end DDoS tools, which will quickly be changed to ask for 
TXT or NS (or even better, DNSKEY).<br>
<br>
<div class="moz-signature">-- <br>Paul Vixie<br>
</div>
</body></html>

--------------050804070301040601090403
Content-Type: image/jpeg; x-apple-mail-type=stationery;
 name="compose-unknown-contact.jpg"
Content-Transfer-Encoding: base64
Content-ID: <part1.09050203.01080801@redbarn.org>
Content-Disposition: inline;
 filename="compose-unknown-contact.jpg"

/9j/4AAQSkZJRgABAQEARwBHAAD/2wBDAAEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEC
AQEBAQEBAgICAgICAgICAgICAgICAgICAgICAgICAgICAgL/2wBDAQEBAQEBAQICAgICAgIC
AgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgL/wAAR
CAAZABkDAREAAhEBAxEB/8QAGAAAAwEBAAAAAAAAAAAAAAAABgcICQr/xAA0EAABAwMCAgUK
BwAAAAAAAAACAQMEBQYRABITIQcUMUF2CBUXIjI2N0JRtVRWkZOV0dL/xAAYAQEAAwEAAAAA
AAAAAAAAAAADAAEEAv/EACQRAAICAAQGAwAAAAAAAAAAAAABAhEDMrHREyExM0FxgfDx/9oA
DAMBAAIRAxEAPwDuEt+gW/ULet6oVC3rfqNQqFv0OfPn1GhUqfOmzZtKZlS5UqZMaNwzNwiJ
VIl7eXLCaZIGwBl3TY8epPx2+jy2ZNPjvkwc9uhW8j7nCPhvOsQliYIeS7cvCpp8o50qwrC4
v3lsNSDbdmTEhvs2tahxpfV3WnmbbozJEw/gwdadbYExVRXKEKoSdvJcaOSqxE7/AAiX0gXx
+a69/JSf9alIlste0VzaNpeFrcT9KKymotyiaZ0KRCnzacoE7Kjzn4gi2KqUh3jqDHDHv4mR
UfruTWlMzlVUKIVNp9GguEJnAh0+IZjyAiisgyRDnu5azS8miKqjOTVkKqS/psG37fo1Fbab
eg25b8eZPeFJBBJSjMG5HjMeyihnaauZwe4OGiju13GAcpOwBeN+U8/IkGbsiS8b7ryogmbz
hbyc9REROfZhERO5ETShjPtvpGqTUyLErytS4siSwx5x2tRH4hPOI0DkjZtaJtFxuVEbIUUi
yeNujlBUJGbJN6nM/Cyf2Hf60YgjvKA+NPSP4gT7axpcPtr51YWJnYn9dnAQWl722p4ot37y
zqnlfp6FrqbwawG8/9k=
--------------050804070301040601090403--

--------------030604000404030505000309--